CVE-2015-2963: Content type spoofing vulnerability

July 10, 2015 (updated December 2, 2016)

There is an issue where if an HTML file is uploaded with a .html extension, but the content type is listed as being image/jpeg, this will bypass a validation checking for images. But it will also pass the spoof check, because a file named .html and containing actual HTML passes the spoof check.

References

robots.thoughtbot.com/paperclip-security-release

Detect and mitigate CVE-2015-2963 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →